Tags for AWS resources created implicitly by other resources

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

When AWS EC2/VPC (and maybe other service) resources are shared with another account via RAM the tags from the creating account are not copied to the accepting account and so for example a shared subnet has no Name in the accepting account's AWS Console.

We decouple much of our Terraform code by creating for example all subnet resources in one module (with a predefined set of tags) and then using a data source in another module (specifying those predefined tags) to find a specific subnet ID (for an ASG or whatever).
This won't work when a subnet is shared into an account as those predefined tags are missing.

Doing a terraform import for those shared resources won't really work as the accepting account doesn't own the resource's lifecycle and can only change tags on the resource.

My thinking is to have a Terraform resource in the accepting account that can manage just the tags on these shared VPC resources.

New or Affected Resource(s)

• aws_subnet
• Others TBD

References

#8457 seems to be a solution to a similar problem.

Related:

• Introduce Mechanism to Tag AMIs #5898

[ewbankkit]

Look also at shared Route 53 Resolver Forwarding Rules which can have tags.

[ewbankkit]

Another use case is for tagging EC2 resources implicitly created by other resources such as the transit gateway attachment created by associating a Direct Connect gateway.

[ewbankkit]

Another similar thing for Route 53 Hosted Zones created via Servicediscovery: #7840

[erikkn]

This feature is very much appreciated! Looks like it is not supported by AWS yet though, so we should probably wait for them. Really annoying that the tags that you set on an object - for example the TGW - are not automatically shared; this prevents you pretty much from doing more robust setups.

[joestump]

@erikkn AWS does allow you to tag resource by ID. My PR #8457 allows for decoupling of resource creation from tagging.

[ewbankkit]

Another use case is for the EC2 resources created as part of an EKS Managed Node Group - #10915.
The tags set on the aws_eks_node_group resource are not applied to the managed EC2 resources.

[ewbankkit]

Another use case is for the EC2 instance that satisfies an aws_spot_instance_request - See #32, #3481, #13229.

[ewbankkit]

Another one - tagging DynamoDB resources: #6859.

[ewbankkit]

Another one - tagging ECS cluster created for Batch: #11951.

[n3ph]

Another one - Tagging EC2 Transit Gateway Route Tables created in cross account. They will be unnamed in the account holding the Transit Gateway itself..

[david-wells-1]

Another use case - when resource aws_vpn_connection creates connection - the attachment on the transit gateway is not/cannot be tagged.

Details here: #12535

[ewbankkit]

And another bunch, the COIP and Local Gateway resources created when setting up an AWS Outpost - #12302.

[ewbankkit]

Another use case:

• Add 'snapshot_tags' attribute to 'aws_ami_from_instance' resource #13493

[sc250024]

Would be lovely to have a generic pass_tags or created_resource_tags for this use case. We currently don't have tags on the EC2 instances created from EKS managed node group Autoscaling groups (#9061 (comment)), so that would be nice to have. Thanks for the issue @ewbankkit !

[ewbankkit]

Another use case:

• Unable to tag DynamoDB global table replicas #13725

[bflad]

A new aws_ec2_tag resource for managing individual EC2 resource tags has been merged and will release with version 2.67.0 of the Terraform AWS Provider, later next week. This resource should only be used in cases where EC2 resources are created outside Terraform (e.g. AMIs), being shared via Resource Access Manager (RAM), or implicitly created by other means (e.g. Transit Gateway VPN Attachments).

# Example configuration in Terraform 0.12 and later syntax
resource "aws_ec2_transit_gateway" "example" {}

resource "aws_customer_gateway" "example" {
  bgp_asn    = 65000
  ip_address = "172.0.0.1"
  type       = "ipsec.1"
}

resource "aws_vpn_connection" "example" {
  customer_gateway_id = aws_customer_gateway.example.id
  transit_gateway_id  = aws_ec2_transit_gateway.example.id
  type                = aws_customer_gateway.example.type
}

resource "aws_ec2_tag" "example" {
  resource_id = aws_vpn_connection.example.transit_gateway_attachment_id
  key         = "Name"
  value       = "Hello World"
}

As with any Terraform 0.12.6 or later configuration, this resource can be combined with for_each support to manage multiple resource tags, if necessary.

Thanks to @joestump and others who made the implementation possible. 👍

---

While the above covers EC2 resources, we would highly suggest creating individual GitHub feature requests for other AWS services since these types of general issues lack a definition of done.

Here's what I see above so far:

• Autoscaling Tag Resource (propagate EKS Node Group tags): EKS Node Group Resource Tag Inheritance #13643
• DynamoDB Tag Resource (support DynamoDB Global Table v2 replica tags): Unable to tag DynamoDB global table replicas #13725 / (support Kinesis client library created table tags): Add resource for "aws dynamodb tag-resource" to support Local DynamoDb #6859
• ECS Tag Resource (propagate Batch Compute tags): [Batch] Add Tags to the ECS cluster created by AWS Batch #11951

I will however keep this open for a short while longer since we will likely want to implement a few general enhancements to make creating these service tag resources easier, which will be the definition of done for this particular issue:

• Implementing a "get tag" function generator within the internal/keyvaluetags package to make the resource implementations consistent
• Switching the aws_ec2_tag resource to the above implementation
• Documenting the process for creating these resources
• (Optionally) Creating a generator for the tagging resources or resource functions

[github-actions]

This functionality has been released in v3.56.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[Benvorth]

Same for aws_ec2_transit_gateway_vpc_attachment, please re-open

[Benvorth]

Tested version was
required_providers { aws = { source = "hashicorp/aws" version = ">=3.56.0" } }

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.